Terraform AWS Permissions Generator
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
bootstrap Initial Commit Dec 9, 2018
completed_policies Initial Commit Dec 9, 2018
lib Initial Commit Dec 9, 2018
policy_modifier Initial Commit Dec 9, 2018
test_resources Initial Commit Dec 9, 2018
.gitignore Initial Commit Dec 9, 2018
Gemfile Initial Commit Dec 9, 2018
LICENSE.txt (Chore) Add MIT License Dec 9, 2018
README.md (Chore) Add README Dec 9, 2018
generate Initial Commit Dec 9, 2018


Terraform AWS Permissions Generator

Warning: This will launch and destroy all resources defined within your terraform project. I'd recommend creating a new AWS account to run this.

Terraform AWS Permissions Generator creates an AWS IAM policy containing only the permissions required to launch and destroy resources defined in a terraform project.

It does this by running terraform, then parsing the crash log for the permissions it needs, adding them to a policy, and trying again until terraform completes successfully.

Disclaimer: This was just a bit of weekend fun - There's probably much better ways to get a set of permissions. Use at your own risk!

Quick Start

The AWS account you will be running this against will need bootstrapping to create the required user/roles/policies to allow the generator to run.

To bootstrap the account:

cd bootstrap
terraform init
terraform apply -var region=<aws_region>

This also places the user credentials and config in the following files, at the root of this repo:


They need to be there to run the generate script

Some directories in the project need to be initialized, and dependencies installed. You may add terraform backends if you wish. To setup:

bundle install
cd policy_modifier
terraform init
cd ..
cd test_resources
terraform init
cd ..

You can now run the generate script. This is the point that resources will begin being created and destroyed.

Using test_resources as an example, which launches and destroys a t2.micro EC2 instance:

./generate --region <aws_region> --terraform-path test_resources

Once complete, it will output an IAM policy into completed_policies


Usage: generate [options]
    -v TERRAFORM_VAR_FILE,           Terraform variable file
    -r, --region AWS_REGION          AWS Region
    -p TERRAFORM_PATH,               Terraform path
    -a, --auto-approve AUTO_APPROVE  Auto approve